b'           OFFICE OF\n    THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n\n       CURRENT PRACTICES IN\n       ELECTRONIC RECORDS\n         AUTHENTICATION\n\n\n   February 2004   A-04-04-24004\n\n\n\n\n  MANAGEMENT\n ADVISORY REPORT\n\x0c                                    Mission\nWe improve SSA programs and operations and protect them against fraud, waste,\nand abuse by conducting independent and objective audits, evaluations, and\ninvestigations. We provide timely, useful, and reliable information and advice to\nAdministration officials, the Congress, and the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  \xc2\x81 Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  \xc2\x81 Promote economy, effectiveness, and efficiency within the agency.\n  \xc2\x81 Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  \xc2\x81 Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  \xc2\x81 Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n  \xc2\x81 Independence to determine what reviews to perform.\n  \xc2\x81 Access to all information necessary for the reviews.\n  \xc2\x81 Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nBy conducting independent and objective audits, investigations, and evaluations,\nwe are agents of positive change striving for continuous improvement in the\nSocial Security Administration\'s programs, operations, and management and in\nour own office.\n\x0c                                            SOCIAL SECURITY\nMEMORANDUM\n\nDate:   February 3, 2004\n\nTo:         The Commissioner\n\nFrom:       Inspector General\n\nSubject: Current Practices in Electronic Records Authentication (A-04-04-24004)\n\n\n\n        OBJECTIVE\n\n        The objective of our review was to identify current practices for electronic records\n        authentication in place at public and private entities.\n\n        BACKGROUND\n        On June 30, 2000, the President signed Senate Bill 761, entitled Electronic Signatures\n        in Global and National Commerce Act (Act).1 Under this legislation, no contract,\n        signature or record can be denied legal effect solely because it is in an electronic form.2\n        The Act does not describe how to implement electronic signatures or what technology to\n        use.\n\n        Increasingly, Federal agencies are using the World Wide Web and other Internet-based\n        applications to provide on-line public access to information and services, as well as to\n        improve internal business operations. Identity fraud is forcing public and private\n        organizations to carefully address the issue of user authentication.\n\n        Some current methods to authenticate electronic records include public key\n        infrastructure (PKI), knowledge-based authentication, and electronic signature capture.\n        See Appendix A for additional background information, scope and methodology.\n\n\n\n\n        1\n            Pub. Law No. 106-229.\n        2\n            15 U.S.C. \xc2\xa7 7001(a)(1)(2003).\n\x0cPage 2 \xe2\x80\x93 The Commissioner\n\nRESULTS OF REVIEW\nThe Social Security Administration (SSA) continues to move forward with its electronic\nservice delivery initiative, which will ultimately allow work to be handled electronically, in\na paperless environment. Under this initiative, records will be accessed and verified\nelectronically and customer interaction will occur through secure networks. SSA has a\nchoice of several electronic records authentication technologies for use in its electronic\nservice delivery initiative including PKI, knowledge-based authentication, and electronic\nsignature capture. SSA currently uses PKI and knowledge-based authentication in\nsome areas of its business operations.\n\nWe believe it is beneficial for SSA to consider the experiences of other public and\nprivate organizations with electronic records authentication technologies as they relate\nto the agency\xe2\x80\x99s electronic service delivery initiative. This report provides information on\nthe experiences that some private and public entities have with PKI, knowledge-based\nauthentication, and electronic signature capture in their business operations.\n\n\xe2\x80\xa2   PKI uses a combination of computer software, hardware, and encryption techniques\n    to allow users to securely communicate over computer networks. The Centers for\n    Disease Control has successfully used PKI to authenticate communications between\n    its external parties.\n\n\xe2\x80\xa2   Knowledge-based authentication tests a users\xe2\x80\x99 recall of inherently personal\n    information. eBay uses a form of knowledge-based authentication in its on-line\n    auction operations.\n\n\xe2\x80\xa2   Electronic signature capture uses computer hardware and software to electronically\n    capture an image of a person\xe2\x80\x99s signature, which can be placed within an electronic\n    document. Colonial Life & Accident Insurance Company uses electronic signature\n    capture and has eliminated the need for most paper records.\n\nAn official at the National Archives and Records Administration (NARA) explained that\nelectronic records storage is a viable archive format. He suggested periodically\nmigrating electronically stored files to newer less expensive storage mediums to help\nensure that electronically stored information remains readily accessible and to minimize\nelectronic information storage costs. The NARA official also suggested considering\nstoring data in standard formats that are easily read by most software and require less\nstorage space.\n\nPUBLIC KEY INFRASTRUCTURE\nPKI authentication technology has existed for over two decades. PKI is formed by a\ncombination of computer software, hardware, and encryption techniques that allow a\nuser to complete secure communications and transactions over computer networks.\n\x0cPage 3 \xe2\x80\x93 The Commissioner\n\nEntities using PKI benefit from the convenience and speed of the internet. They also\nbenefit from knowing that critical information is guarded from unauthorized use. PKI\nprotects information in several ways because it:\n\n\xe2\x80\xa2   authenticates the identity of users,\n\n\xe2\x80\xa2   verifies that the message has not been tampered with,\n\n\xe2\x80\xa2   protects information from interception during transmission, and\n\n\xe2\x80\xa2   minimizes the risk of an electronic transaction later being denied as a forgery.\n\nPKI is based on an electronic key pair. The key pair consists of a\nunique private key and a corresponding public key. The keys are\nencrypted and mathematically related. In a PKI system, the private\nkey must be closely guarded and kept secret by its owner. However,\nthe corresponding public key can be freely sent to others within the\nPKI network who need to communicate securely with the private key\nholder. A user\xe2\x80\x99s public key may be broadly distributed for others to\nuse because only the holder of the related private key can decrypt a\nmessage. In practice, the sender encrypts a message with the intended recipient\xe2\x80\x99s\npublic key. Because of the mathematical relationship between the user\xe2\x80\x99s private key\nand public key, only the recipient holding the related private key can decrypt or read the\nmessage.\n\nCertificate authorities (CAs) act like a passport office for the digital world. The CA is\nresponsible for validating a potential key holder\xe2\x80\x99s identity. Additionally, the CA creates\nand issues to users digital certificates, which house the public key. A PKI system must\nrely on a trusted CA to distribute public keys and authenticate the identity of the user\nassociated with the key pair. The CA functions are sometimes contracted to a third\nparty.\n\nJust as CAs act as a passport office for the digital world, the digital certificates created\nby a CA, act as on-line passports or electronic credentials. The digital certificate, an\nelectronic file, binds a user\xe2\x80\x99s identity to their public key. The CAs place the user\xe2\x80\x99s public\nkey and other identifying information into each digital certificate and then encrypt it to\nprotect against tampering or alteration. A typical digital certificate, which is unique to\neach user, contains the user\xe2\x80\x99s name, public key, and the CA\xe2\x80\x99s name. Digital certificates\nare installed on a user\xe2\x80\x99s computer or network to automate the distribution of the public\nkeys, which are derived from its mathematically related private key. A user\xe2\x80\x99s private key\nalso resides on their computer or server.\n\x0cPage 4 \xe2\x80\x93 The Commissioner\n\nDespite the apparent complexity of PKI, the actual authentication process requires little\nuser interaction. For example, to initiate a PKI based message, a user simply logs into\na network using special software installed on their computer. Once logged in, the PKI\nelectronically authenticates the user behind the scenes and allows for secure\ncommunication among parties.\n\nCenters for Disease Control Uses PKI\n\nThe Centers for Disease Control (CDC), in Atlanta, Georgia, implemented PKI in 1999.\nThe CDC\xe2\x80\x99s Secure Data Network (SDN) uses PKI to authenticate communications\nbetween its external partners. The CDC\xe2\x80\x99s PKI partners include hospitals, doctors,\nnurses, and health departments around the world that need to obtain and provide\nsensitive medical information. Because of the highly sensitive nature of the information\nbeing transmitted, CDC recognized the need for PKI to ensure user identity and data\nintegrity. CDC collects enrollment data on prospective PKI users and confirms the\npotential user\xe2\x80\x99s identity. Once the CDC approves a new user, it uses a third party CA to\nissue and administer the digital certificates. The CA also provides the resources and\nservices to authenticate a message sent using CDC\xe2\x80\x99s PKI.\n\nOne of the biggest challenges CDC faced was configuring partner\xe2\x80\x99s hardware and\nsoftware for use with its SDN. Without compatibility, secure authenticated\ncommunications cannot occur. In the personal opinion of a CDC official, if an\norganization has a sufficient volume of digital certificates, it should dedicate information\ntechnology (IT) staff to implement and support its PKI. The CDC\xe2\x80\x99s PKI system has also\nbeen developed so it may be integrated, as needed, into future eGovernment projects.\n\nKNOWLEDGE-BASED AUTHENTICATION\nKnowledge-based authentication is the most commonly used method\nfor verifying a user\xe2\x80\x99s identity in a computer environment. Typically, at\na computer logon prompt users are first asked to identify themselves\nand then are asked a series of challenge questions to authenticate\nthemselves. The challenge questions should be unique to the\nindividual user and not commonly known by others.\n\nKnowledge-based authentication is relatively easy for an entity to implement, since it\ndoes not require users to have specialized hardware or software. In most cases, users\ncan be authenticated using a standard personal computer linked to the internet. Other\nadvantages are that the users can protect their knowledge by simply remembering a\nfew key pieces of information, the knowledge or information is portable, and, if\nnecessary, can be easily changed.\n\x0cPage 5 \xe2\x80\x93 The Commissioner\n\nPasswords are the most common form of knowledge-based authentication and may\nprovide adequate protection of electronic information. Passwords are widely used by\npersons with personal computers and internet access to conduct on-line transactions.\nBanks, credit card companies, utilities, brokerage houses, and on-line retailers use\npasswords to help authenticate their on-line customers and provide access to their\ninternet-based services.\n\nAlthough user friendly, password-based authentication can sometimes be insufficient in\npreventing unauthorized access. If not designed properly, password-based\nauthentication may be vulnerable to \xe2\x80\x9chackers\xe2\x80\x9d using software designed to guess\ncommon passwords. To increase security, password-based authentication systems\nshould be designed to prevent multiple guessing and to identify and prevent the use of\neasily guessed passwords. Although, a well designed system is vital in protecting\naccess, users themselves may be the weakest security link in a knowledge-based\nsystem. To improve security, users should be educated to protect their password from\nunauthorized use and to make their password sufficiently complex. Password integrity\nmay be improved by the use of numbers, special characters, misspelled words, and\nnondictionary words. Additionally, users should be cautioned not to write and store their\npassword next to the computer or to share it with others.\n\nA more advanced application of knowledge-based authentication is available to cope\nwith the increasing challenge of authenticating on-line users. VeriSign, Inc. (VeriSign)\nlocated in Mountain View, California, provides a unique third party authentication\nservice to entities conducting on-line transactions that require a high level of security.\nVeriSign\xe2\x80\x99s product, Consumer Authentication Service (CAS), asks users for multiple\npieces of personal information and then cross checks the responses against over\n50 databases to authenticate them. CAS is fully supported by VeriSign and is designed\nto be integrated into existing internet browsers and computer networks.\n\nWhen an on-line transaction is initiated, CAS, in real time, cross checks personal\ninformation, such as home addresses, phone numbers, driver\xe2\x80\x99s\nlicense numbers, birth dates, and even email addresses to\nauthenticate a user. For high-value transactions or those involving\nsensitive information, CAS provides a higher level of validation by\ncomparing responses to questions requiring more personal financial\ninformation, such as account numbers, account balances, and credit\nlimits prior to authorization. CAS\xe2\x80\x99s communication with the external databases is\nencrypted for security. Furthermore, CAS performs all identity checks in compliance\nwith key privacy and security regulations.\n\neBay Implements Third-Party Knowledge-Based Authentication\n\neBay, in San Jose, California, implemented CAS to authenticate its on-line auction\nmembers. eBay is the world\xe2\x80\x99s largest on-line trading entity, where millions of people\nbuy and sell millions of items every day. Potential buyers search for items and place\n\x0cPage 6 \xe2\x80\x93 The Commissioner\n\nbids on those items they are interested in purchasing. Sellers have the ability to market\ntheir product to millions of daily on-line visitors. Since eBay\xe2\x80\x99s business involves a large\nnumber of users and a high volume of transactions, they were aware of the potential\nrisk of identity fraud. eBay decided to implement the CAS system because it enables\nthem to better assure the identity of both new sellers and sellers of high-dollar value\ngoods.\n\nIn the fall of 2002, eBay implemented their Identification (ID) Verify program, powered\nby VeriSign\xe2\x80\x99s CAS. The ID Verify program allows eBay customers to establish proof of\ntheir identity to eBay and other auction members. Once authenticated, ID Verify\nmembers receive a special icon in their user profile, which can be viewed by other\nauction members. ID Verify members receive additional auction privileges. For\nexample, ID Verify members may bid on higher dollar value transactions and sell items\nusing more exclusive listing features. Effectively, the ID Verify icon serves as a calling\ncard to other auction members helping them to identify a trusted trading partner. The ID\nVerify program is available to on-line auction members in the United States, Puerto\nRico, the U. S. Virgin Islands, and Guam.\n\nA member\xe2\x80\x99s privacy is important to eBay. The information provided to eBay during the\nID Verify enrollment process is neither stored by eBay nor by VeriSign. Instead,\nVeriSign\xe2\x80\x99s CAS only compares customer\xe2\x80\x99s responses to external and consumer and\nbusiness databases. CAS assigns a numerical score to the comparison, which\nindicates its confidence in the information provided. Although CAS assigns a score,\neBay is responsible for interpreting the score and deciding whether an applicant is\naccepted into its\xe2\x80\x99 ID Verify program. Customer responses to the CAS\xe2\x80\x99s credit related\nquestions do not affect their credit ratings. The on-line ID Verify process is protected by\na secure and encrypted internet connection to help ensure users\xe2\x80\x99 privacy is maintained.\n\nELECTRONIC SIGNATURE CAPTURE\nElectronic signature capture technology utilizes both computer hardware and software\nto capture a person\xe2\x80\x99s physical signature electronically. An\nelectronic signature pad and related software are used to\ncapture an individual\xe2\x80\x99s signature and then place an image of the\nsignature within an electronic document. Signature pads are\ncommonly found in retail stores as part of a system to process\ncredit card transactions. Electronic signature capture is not\nlimited to the retail industry. Other industries, such as insurance,\nhave also embraced this technology.\n\x0cPage 7 \xe2\x80\x93 The Commissioner\n\nColonial Life & Accident Insurance Company\nImplemented Electronic Signature Capture\n\nLike SSA, some insurance companies have many signature requirements for their\npaper records. Colonial Life & Accident Insurance Company (Colonial), an insurance\ncompany located in Columbia, South Carolina, processes over 700,000 signed\napplications a year and operates in 49 states. Prior to implementing electronic forms,\npaper documents were sent between agents and Colonial\xe2\x80\x99s home office to facilitate its\ninsurance underwriting. Important paper records were transcribed into electronic\nformat. This process was inefficient, subject to keying errors and time delays.\n\nPrior to implementing electronic signature capture, Colonial began using electronic\nversions of its insurance documents. The electronic documents were installed on its\nagents\xe2\x80\x99 laptop computers in a process called electronic application submission. Despite\nthis advancement, the physical signature of both agents and the insurance applicant\nwere still required. As a result, paper documents were still being created and\nprocessed. In 1999, Colonial implemented electronic signature capture using electronic\nsignature pads connected to the agents\xe2\x80\x99 computers. With the addition of the electronic\nsignature pads, Colonial effectively eliminated the need to handle most paper insurance\napplications.\n\nOne of Colonial\xe2\x80\x99s concerns in transitioning to electronic\nsignature capture was whether agents and clients would accept\nthe signature pads, since they were more comfortable using\nconventional paper forms. To further ease transition from\npaper forms to electronically captured signatures, Colonial\ndecided to place a small piece of paper over the electronic\nsignature pad so that users may sign the paper with an ink pen,\nin a familiar manner. As the paper is signed by the conventional\npen, a simultaneous electronic version of the signature is also captured on an electronic\npad. The presence of the piece of paper and ink pen helped both agents and clients\nfeel better about adapting to the new electronic technology.\n\nToday, Colonial processes approximately 80 percent of its new insurance policies using\nelectronic forms and electronic signature capture. Colonial realized dramatic benefits\ntransitioning to electronic application process. Among the benefits Colonial realized\nwas reduced processing costs, improved timeliness, increased productivity, and\nenhanced customer service.\n\nElectronic Signature Capture Can Prove an Individual\xe2\x80\x99s Identity\n\nIn addition to capturing an image of an individual\xe2\x80\x99s signature,\nelectronic signature pads can be used to prove someone\xe2\x80\x99s\nidentity. In a more advanced application of electronic\nsignature capture, users may prove their identity by the way\n\x0cPage 8 \xe2\x80\x93 The Commissioner\n\nthey physically sign their name. This electronic signature capture technology uses\nspecial software that measures the shape, speed, pressure, and stroke of an\nindividual\xe2\x80\x99s signature. A sample of three to six signatures captured on an electronic\nsignature pad is needed to create an electronic profile of the user\xe2\x80\x99s writing style.\n\nThe angle in which the pen is held, the pressure applied in signing, and the signature\nstyle are all captured and stored in an electronic profile. This profile is stored in a\ncomputer system for comparison with future electronic pad transactions. In subsequent\ntransactions, when a person signs an electronic signature pad, their signature is\nelectronically compared to their profile to authenticate them. Once authenticated, an\nimage of the signature is also placed into a related electronic document. Together the\nimage and the associated characteristics become the individual\xe2\x80\x99s legal signature.\n\nCommunication Intelligence Corporation (CIC), in Redwood Shores, California,\nmanufactures handwritten signature software similar to that described for Colonial and\nhas developed technology to authenticate electronically captured signatures. This\ntechnology is referred to as eSignature and enables an organization to:\n\n\xe2\x80\xa2   identify an individual based on their signature,\n\n\xe2\x80\xa2   capture a legally binding and regulatory compliant electronic handwritten signature,\n\n\xe2\x80\xa2   electronically seal the signature and document content together to prevent and\n    detect tampering, and\n\n\xe2\x80\xa2   minimize the risk of having an electronically captured signature later be denied as a\n    forgery.\n\nIn addition to authenticating a user in a financial transaction, this technology provides a\nverifiable electronic signature that can replace passwords. This method of\nauthentication provides an added level of security to simple passwords. Although,\npasswords can be given to other individuals, stolen, or forgotten, a signature is unique\nto an individual and cannot be forgotten. Potentially, this technology can replace\npasswords to access networks, secure laptop or handheld computers, or even secure\nindividual files on a network.\n\nNationwide Building Society is Identifying\nCustomers by their Electronic Signature\n\nIn the public and private sectors, the ability to capture signatures, as well as verify the\nidentity of users in an electronic transaction is becoming more important. One\ncompany, Nationwide Building Society (NBS), a banking institution in the United\nKingdom, has recognized the merits of electronically capturing and authenticating its\ncustomer\xe2\x80\x99s signature to complete a transaction. For 2 years, NBS researched various\nmethods to authenticate its customers and selected CIC\xe2\x80\x99s eSignature technology.\n\x0cPage 9 \xe2\x80\x93 The Commissioner\n\nNBS has 70 processes that require a signature and produce large volumes of paper.\nNBS expects to see dramatic improvement in transaction efficiency and fraud\nprevention using eSignature. NBS also anticipates significant cost savings through\npaper reduction. In fact, NBS expects to achieve a return of its investment within\n3 years through paper reduction and fraud prevention.\n\nNBS has started the beginning phases of implementing the eSignature technology.\nInitially, electronic signature pads will be used to sign forms. In the near future, NBS\nexpects to implement eSignature for customer cash withdrawals and to open bank\naccounts. In a recent test trial of 120 staff, NBS found it was impossible for participants\nto forge a signature just by copying it, and the electronic pad system neither rejected a\nlegitimate signature, nor accepted one that was false.\n\nELECTRONIC RECORDS STORAGE\nAs Government and business entities increase operations in an electronic records\nenvironment, the number of electronic records they need to store will continue to\nincrease. These entities recognize the significant cost of storing and retrieving paper\nbased records. As a result, some entities are exploring electronic records archives as\nan alternative storage medium. Records experts acknowledge that the electronic\nstorage of documents can be cost-effective, but because clear policies, technical\nstandards, and resources are often lacking, some agencies are hesitant to \xe2\x80\x9cgo\npaperless.\xe2\x80\x9d\n\nThe National Archives and Records Administration (NARA) is responsible for assisting\nFederal agencies in maintaining adequate and proper documentation of Government\npolicies and transactions.3 NARA, as well as the Library of Congress, is working to\naddress the issue of preserving electronic information over the long term. According to\nNARA officials, electronic records policy is still evolving, but fundamentally, electronic\nrecords retention is inherently a records management issue dealing with efficiency and\nthe protection of rights.\n\nConverting Paper Records into Electronic Form\n\nThe process of converting paper documents into electronic form is\nreferred to as imaging. Imaging is the process by which a paper\ndocument is converted to a computer-readable digital-image file.\nTo obtain an image, a device, such as a scanner, is used to\ncapture an electronic image of an original document.\n\n\n\n3\n NARA is an independent Federal agency, authorized under 44 U.S.C. \xc2\xa7 2101 et seq., whose mission\nensures, for the citizen and the public servant, for the President and Congress and the Courts, ready\naccess to essential evidence.\n\x0cPage 10 \xe2\x80\x93 The Commissioner\n\nSpecial software then saves the image as a computer file to store the data. Once\ncreated, the computer files are stored in an electronic medium. The most common\ntypes of storage mediums are magnetic tapes and discs, and optical media, such as\nCD-ROM. The amount of time and labor needed to scan or image a document is\ndependent upon how efficiently the paper records can be retrieved and processed into\nthe scanner.\n\nAn official at NARA explained that electronic records storage is a viable archive format.\nAccording to this official, original paper records may be destroyed after they are\nconverted to electronic format, if adequate safeguards are in place to verify the\nauthenticity and accuracy of an original scanned document and sufficient safeguards\nare in place to protect against unauthorized alteration or destruction of new archive\nrecords. Moreover, he explained that a correctly scanned image may be as reliable as\nthe original document and is also considered an official record. Despite embracing\nelectronic records storage, the NARA official cautioned that the storage medium used\ntoday will likely change in the future. To help ensure that electronically stored\ninformation remains readily accessible and to minimize electronic information storage\ncosts, the NARA official recommends periodically migrating electronically stored files to\nnewer less expensive storage mediums.\n\nThe NARA official also expressed concern with storing information in software specific\n(proprietary) electronic file formats. He cautions that information stored in present\nproprietary file formats may not be accessible by future computer software. In the long\nterm, proprietary file formats may become obsolete, manufacturers may not support\nsoftware used to read the file formats, or newly developed software may not be\nbackward compatible to read earlier file formats. The official suggests storing data in\nstandard formats that are easily read by most software and require less storage space.\n\nCONCLUSIONS AND RECOMMENDATIONS\nWe acknowledge that SSA management has tested or implemented some aspects of\nthe electronic records authentication practices discussed in this report, especially in the\nareas of PKI and knowledge based authentication. We are encouraged that SSA\ncontinues to refine and improve its current electronic records authentication techniques.\nWe believe the current practices discussed in this report are compatible with SSA\'s\nelectronic service delivery initiative. Moreover, we believe the authentication successes\nrealized by the organizations we contacted warrant SSA\xe2\x80\x99s consideration of their\npractices. We recommend that SSA:\n\n1. Consider these organizations\xe2\x80\x99 use of PKI, knowledge-based authentication, and\n   electronic signature capture as they relate to the agency\xe2\x80\x99s electronic service delivery\n   initiative.\n\n2. Ensure that its electronic records storage procedures specify file formats that remain\n   readable by future generations of software.\n\x0cPage 11 \xe2\x80\x93 The Commissioner\n\nAGENCY COMMENTS\nIn commenting on the draft report, SSA agreed with our recommendations. SSA also\nprovided additional comments that we incorporated in the report as appropriate. See\nAppendix B for the full text of SSA comments.\n\n\n\n\n                                          James G. Huse, Jr.\n\x0c                                   Appendices\nAPPENDIX A \xe2\x80\x93 Background, Scope and Methodology\n\nAPPENDIX B \xe2\x80\x93 Agency Comments\n\nAPPENDIX C \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                                       Appendix A\nBackground, Scope and Methodology\nBackground\n\nThe Social Security Administration (SSA) is currently testing several uses of public key\ninfrastructure (PKI) to support its business processes. For example, PKI is being tested\nto electronically report annual wages and medical information. Also, SSA is presently\nusing forms of knowledge based authentication techniques to prove the identity of its\nbeneficiaries. For example, once authenticated, beneficiaries can change their mailing\naddress, check their Social Security benefits, and apply for direct deposit over the\ninternet.\n\nIn addition to the above examples, SSA stated that it has performed extensive work in\nthe area of electronic records authentication. Regarding this work, SSA explained that it\nhas obtained legal opinions from its General Counsel, established policies, and\nimplemented best practices. Moreover, SSA indicated that it is an active participant in\nthe E-Authentication project and the Electronic Records Management project under the\nE-Government Initiative of the President\xe2\x80\x99s Management Agenda.\n\nOrganizations conducting on-line transactions must verify the identities of their users to\navoid potential fraud-related losses. Identity fraud is one of the fastest growing crimes\ntoday and is often perpetrated via computers and databases. We consulted\nFrank W. Abagnale, founder of the secure documents company Abagnale & Associates\nin Washington, DC. Mr. Abagnale is a:\n\n\xe2\x80\xa2   world-famous former con artist,\n\n\xe2\x80\xa2   bestselling author of Catch Me If You Can and The Art of the Steal, and\n\n\xe2\x80\xa2   long-term consultant (25 years) to the Federal Bureau of Investigation\xe2\x80\x99s (FBI)\n    financial crimes unit.\n\nMr. Abagnale recommended organizations guard against potential loss and fraud\ncreated by identity theft. He warned, \xe2\x80\x9cWhat one man creates, another can foil.\xe2\x80\x9d In\ncreating an authentication system, Mr. Abagnale explained that there is often a trade off\nbetween usability and security. Therefore, he recommends a comprehensive risk\nassessment and business analysis should be performed to match the sensitivity of the\ndata with the appropriate level of authentication.\n\nScope and Methodology\nThis review was designed to identify current practices in electronic records\nauthentication that may enhance SSA\xe2\x80\x99s electronic service delivery initiative. We\ninterviewed the following entities to gain an understanding of their electronic records\nauthentication technology or techniques. See Table 1 on the following page for a brief\n\n                                           A-1\n\x0cdescription of the entities included in our review. We selected these organizations\nbecause they have either developed or successfully used authentication technologies.\n\n\xe2\x80\xa2   Centers for Disease Control, Atlanta, Georgia\n\n\xe2\x80\xa2   Colonial Life & Accident Insurance Company, Columbia, South Carolina\n\n\xe2\x80\xa2   Communication Intelligence Corporation, Redwood Shores, California\n\n\xe2\x80\xa2   eBay, San Jose, California\n\n\xe2\x80\xa2   Nationwide Building Society, United Kingdom\n\n\xe2\x80\xa2   VeriSign, Inc., Dulles, Virginia\n\nWe performed our work with the entities above and at the Office of Audit, Atlanta,\nGeorgia. We conducted our review from April through July 2003 in accordance with\ngenerally accepted government auditing standards.\n\nThe organizations we contacted have reviewed the information we presented in this\nreport and have authorized its use.\n\n                            Table 1: Description of Entities Contacted\n\n\n                Entity                                      Business Purpose\n\n\n      Centers for Disease         The CDC is recognized as the lead Federal agency for protecting the\n      Control (CDC)               health and safety of people\xe2\x80\x94at home and abroad, providing credible\n                                  information to enhance health decisions, and promoting health\n                                  through strong partnerships.\n\n      Communication               CIC develops and provides electronic and digital signature solutions,\n      Intelligence Corporation    which authenticate electronic handwritten signatures and original\n      (CIC)                       content of on-line digital documents.\n\n      Colonial Life & Accident    Colonial offers a broad line of insurance products, including\n      Insurance Company           disability, accident, life, cancer, critical illness and hospital\n      (Colonial)                  confinement.\n\n      eBay                        eBay is the world\xe2\x80\x99s largest on-line trading community, where millions\n                                  of people buy and sell millions of items every day.\n\n      Nationwide Building         NBS offers a range of retail financial services, including mortgages,\n      Society (NBS)               savings, current accounts, life assurance and investment products,\n                                  personal loans, and household insurance.\n\n      VeriSign, Inc. (VeriSign)   VeriSign delivers critical infrastructure services that make the\n                                  Internet and telecommunications networks more intelligent, reliable,\n                                  and secure.\n\n\n                                                 A-2\n\x0c                  Appendix B\n\nAgency Comments\n\x0c                                     SOCIAL SECURITY\n\nMEMORANDUM                                                                     113-24-1069\n\n\nDate:     January 22, 2004                                               Refer To: S1J-3\n\nTo:       James G. Huse, Jr.\n          Inspector General\n\nFrom:     Larry W. Dye /s/\n          Chief of Staff\n\nSubject   Office of the Inspector General (OIG) Draft Management Advisory Report\n          "Current Practices in Electronic Records Authentication" (A-04-04-\n          24004)\xe2\x80\x94INFORMATION\n\n\n          We appreciate OIG\xe2\x80\x99s efforts in conducting this review. Our comments on the draft report\n          content and recommendations are attached.\n\n          Please let me know if you have any questions. Staff inquiries may be directed to\n          Candace Skurnik, Director, Audit Management and Liaison Staff on extension 54636.\n\n          Attachment:\n          SSA Response\n\n\n\n\n                                                   B-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL (OIG) DRAFT\nMANAGEMENT ADVISORY REPORT \xe2\x80\x9cCURRENT PRACTICES IN ELECTRONIC\nRECORDS AUTHENTICATION" (AUDIT NO. A-04-04-24004)\n\n\nWe appreciate the opportunity to review and comment on the draft report. Although SSA had\nthe first production of Public Key Infrastructure (PKI) application on the Federal\ne-Authentication infrastructure, we acknowledge that we must be vigilant in ensuring that the\nbest approaches are employed. We agree with the recommendations and will continue to\nconsider the use of PKI, knowledge-based authentication and electronic signature capture in\nfuture electronic service delivery initiatives. Additionally, we will endeavor to ensure that\nelectronic records storage procedures specify file formats that remain readable by future\ngenerations of software.\n\nWe appreciate your efforts in providing this broad overview of authentication practices and\nelectronic records storage in a few public and private organizations. As mentioned at the exit\nconference, however, we had anticipated the report would provide more details on the pros and\ncons of each authentication method. In addition, while the report provides a cursory review of\ntechnologies used for encryption, identity authentication and access control, we believe that\nsome of the definitions and examples confuse the application of these technologies for use in\nauthentication, authorization and records management.\n\nSpecific areas requiring clarification include:\n\n\xe2\x80\xa2   the area that discusses the use of Public Key technology for encryption (cryptographic\n    transmission security) and authentication which requires a PKI certificate be issued for the\n    express purpose of digital signature activity,\n\xe2\x80\xa2   the discussion that electronic signature capture conveys authentication of identity; it is not\n    clear in distinguishing verification of records versus authentication of individuals\xe2\x80\x99 identities.\n    On page 3 \xe2\x80\x93 4th bullet \xe2\x80\x93 \xe2\x80\x9celiminates unauthorized access\xe2\x80\xa6.\xe2\x80\x9d PKI (or any other\n    authentication methodology) coupled with an appropriate and robust authorization\n    mechanism helps to eliminate unauthorized access to \xe2\x80\x9cresources.\xe2\x80\x9d There is a common\n    misunderstanding where \xe2\x80\x9cauthentication\xe2\x80\x9d and \xe2\x80\x9cauthorization\xe2\x80\x9d are used interchangeably.\n    Authentication provides a measurable level of assurance of properly identifying an\n    individual; while authorization controls what resources that authenticated individual can\n    access and what roles they may take with those allowed resources.\n\nAlso, as you may already know, the General Services Administration (GSA), in coordination\nwith the Office of Management and Budget (OMB), has the lead for developing a government-\nwide E-Authentication Policy that will establish a standard framework for assessing e-\ngovernment electronic transaction authentication requirements. The proposed E-Authentication\nPolicy establishes a four-level approach for authentication to ensure trustworthy electronic\ntransactions and to fulfill Federal privacy and information security requirements. It also\nspecifies a three-step implementation process that includes: 1) conducting a risk assessment in\naccordance with the guidance explained in Part II of the Government Paperwork Elimination Act\nand Section 2 of the proposed Policy; 2) determining the appropriate assurance level based upon\n\n\n\n                                                  B-2\n\x0c the identified risks; and 3) deploying the corresponding technology solution based on the e-\nauthentication technical guidance to be issued by the Department of Commerce\'s National\nInstitute of Standards and Technology (NIST).\n\nOn December 16, 2003, OMB released the E-Authentication guidance for all Federal agencies.\nThat guidance updates the earlier guidance issued by OMB under the Government Paperwork\nElimination Act of 1998, 44 U.S.C. \xc2\xa7 3504 and implements section 203 of the E-Government\nAct, 44 U.S.C. ch 36. It also mandates that all Federal agencies categorize all existing\ntransactions/systems requiring user authentications into one of the OMB described assurance\nlevels:\n\n   \xe2\x80\xa2   Systems classified as \xe2\x80\x9cmajor\xe2\x80\x9d must be completed by December 15, 2004.\n   \xe2\x80\xa2   New authentication systems should begin to be categorized, as part of the system design,\n       within 90 days of the completion of the final E-Authentication Technical Guidance issued\n       by the NIST.\n\nGiven GSA\xe2\x80\x99s and OMB\xe2\x80\x99s efforts in this area to date, we expect that Federal agencies will be\nrequired to take actions well beyond those recommended in this report.\n\nFinally, while we recognize that the purpose of the review was to identify and evaluate electronic\nrecords practices of other entities, the conclusions statement that begins \xe2\x80\x9cSSA management has\ntested or implemented some aspects of the electronic records authentication practices,\xe2\x80\x9d implies\nthat the Agency has done limited work in this area. The report should highlight the fact that we\nhave done extensive research including obtaining General Counsel opinions, establishing internal\npolicies and implementing best-practices based on our work in the field of electronic\nauthentication. We are an active participant in both the E-Authentication project and the\nElectronic Records Management project, under the E-Government Initiative of the President\xe2\x80\x99s\nManagement Agenda.\n\nOur specific comments to the recommendations are provided below.\n\nRecommendation 1\n\nSSA should consider these organizations\xe2\x80\x99 use of PKI, knowledge-based authentication, and\nelectronic signature capture as they relate to the Agency\xe2\x80\x99s electronic service delivery initiative.\n\nResponse\n\nWe agree. We have already exceeded the recommendations of this report through participation\nin both Government and private industry organizations and standards bodies dealing with\nelectronic authentication technologies and electronic records management. Our Office of\nElectronic Services (OES) investigates, analyzes and pilots the application\nof technologies in our business processes. They also monitor private industry and government-\nwide activities and policies to ensure that we investigate potential technologies that will provide\nbetter service to the public. Additionally, they provide support through installation, training and\nsupport of technologies throughout the field structure as they are made available.\n\n\n\n                                                B-3\n\x0cRecommendation 2\n\nSSA should ensure that its electronic records storage procedures specify file formats that remain\nreadable by future generations of software.\n\nResponse\n\nWe agree. Electronic records are an emerging field for the National Archives and Records\nAdministration (NARA). They have established record management criteria and endorsed the\nDepartment of Defense\xe2\x80\x99s (DOD) 5015 as a record management system that meets their\nrequirements. Our records management staff are working with the Office of Systems to ensure\nthat Agency specifications for system design and management meet all NARA requirements\nincluding that electronic storage be in a viable archive format easily read and requiring minimum\nstorage space. The Office of Systems has determined that their standard architecture meets these\nbasic requirements. They have also developed a matrix that cross walks their plan for our\nelectronic record management system with the NARA requirements and the criteria established\nby DOD to demonstrate that the evolving SSA record management system will meet NARA\xe2\x80\x99s\nrequirements for electronic recordkeeping.\n\n\n\n\n                                               B-4\n\x0c                                                                       Appendix C\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n   Mark Bailey, Director (816) 936-5591\n\n   Frank Nagy, Audit Manager (404) 562-5552\n\nStaff Acknowledgments\n\nIn addition to those named above:\n\n   David McGhee, Auditor\n\n\nFor additional copies of this report, please visit our web site at www.ssa.gov/oig or\ncontact the Office of the Inspector General\xe2\x80\x99s Public Affairs Specialist at (410) 965-1375.\nRefer to Common Identification Number A-04-04-24004.\n\x0c                           DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nOffice of Management and Budget, Income Maintenance Branch\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Subcommittee on Human Resources\nChairman and Ranking Minority Member, Committee on Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Government Reform and\nOversight\nChairman and Ranking Minority Member, Committee on Governmental Affairs\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security and Family\nPolicy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c                   Overview of the Office of the Inspector General\n\n                                             Office of Audit\nThe Office of Audit (OA) conducts comprehensive financial and performance audits of the\nSocial Security Administration\xe2\x80\x99s (SSA) programs and makes recommendations to ensure that\nprogram objectives are achieved effectively and efficiently. Financial audits, required by the\nChief Financial Officers\' Act of 1990, assess whether SSA\xe2\x80\x99s financial statements fairly present\nthe Agency\xe2\x80\x99s financial position, results of operations and cash flow. Performance audits review\nthe economy, efficiency and effectiveness of SSA\xe2\x80\x99s programs. OA also conducts short-term\nmanagement and program evaluations focused on issues of concern to SSA, Congress and the\ngeneral public. Evaluations often focus on identifying and recommending ways to prevent and\nminimize program fraud and inefficiency, rather than detecting problems after they occur.\n\n                                    Office of Executive Operations\nThe Office of Executive Operations (OEO) supports the Office of the Inspector General (OIG)\nby providing information resource management; systems security; and the coordination of\nbudget, procurement, telecommunications, facilities and equipment, and human resources. In\naddition, this office is the focal point for the OIG\xe2\x80\x99s strategic planning function and the\ndevelopment and implementation of performance measures required by the Government\nPerformance and Results Act. OEO is also responsible for performing internal reviews to ensure\nthat OIG offices nationwide hold themselves to the same rigorous standards that we expect from\nSSA, as well as conducting investigations of OIG employees, when necessary. Finally, OEO\nadministers OIG\xe2\x80\x99s public affairs, media, and interagency activities, coordinates responses to\nCongressional requests for information, and also communicates OIG\xe2\x80\x99s planned and current\nactivities and their results to the Commissioner and Congress.\n\n                                        Office of Investigations\nThe Office of Investigations (OI) conducts and coordinates investigative activity related to fraud,\nwaste, abuse, and mismanagement of SSA programs and operations. This includes wrongdoing\nby applicants, beneficiaries, contractors, physicians, interpreters, representative payees, third\nparties, and by SSA employees in the performance of their duties. OI also conducts joint\ninvestigations with other Federal, State, and local law enforcement agencies.\n\n                                   Counsel to the Inspector General\nThe Counsel to the Inspector General provides legal advice and counsel to the Inspector General\non various matters, including: 1) statutes, regulations, legislation, and policy directives\ngoverning the administration of SSA\xe2\x80\x99s programs; 2) investigative procedures and techniques;\nand 3) legal implications and conclusions to be drawn from audit and investigative material\nproduced by the OIG. The Counsel\xe2\x80\x99s office also administers the civil monetary penalty program.\n\x0c'